General
-
Target
1983ca8eb7b0270ef0681fa6fd3d1ca8cdf416800c2403be82e8d6cf2b722f12.exe
-
Size
446KB
-
Sample
240802-qbz54axank
-
MD5
dcb0a260c42324fea0225b8f07939105
-
SHA1
a550e5fd06f286f0e2427954fdcffea8333e1d27
-
SHA256
1983ca8eb7b0270ef0681fa6fd3d1ca8cdf416800c2403be82e8d6cf2b722f12
-
SHA512
cbb51b952b72b93586ef791056d3f45d4690199134b173b76942c104d1b8067cd6583d88dc3bc05c3e89905a4c63762f664d9832eefb2e6d6c71ec3c136a95d4
-
SSDEEP
12288:EWQofC1P5wYpwmdfCrzhSLmi3Jf+Mg9e:EWK15wwwmdmEb3x+Mg8
Malware Config
Extracted
xworm
5.0
127.0.0.1:2005
79.110.62.113:2005
0QFmCI3ycTg10NnI
-
install_file
USB.exe
Targets
-
-
Target
1983ca8eb7b0270ef0681fa6fd3d1ca8cdf416800c2403be82e8d6cf2b722f12.exe
-
Size
446KB
-
MD5
dcb0a260c42324fea0225b8f07939105
-
SHA1
a550e5fd06f286f0e2427954fdcffea8333e1d27
-
SHA256
1983ca8eb7b0270ef0681fa6fd3d1ca8cdf416800c2403be82e8d6cf2b722f12
-
SHA512
cbb51b952b72b93586ef791056d3f45d4690199134b173b76942c104d1b8067cd6583d88dc3bc05c3e89905a4c63762f664d9832eefb2e6d6c71ec3c136a95d4
-
SSDEEP
12288:EWQofC1P5wYpwmdfCrzhSLmi3Jf+Mg9e:EWK15wwwmdmEb3x+Mg8
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-